Merge pull request #239 from GalaxP/geolite

Added new module - geolite

Author: jaroslavpesek

geolite/Makefile.am

@@ -0,0 +1,18 @@
+EXTRA_DIST=geolite.py readme.md
+bin_SCRIPTS=geolite.py
+
+pkgdocdir=${docdir}/geolite
+pkgdoc_DATA=readme.md
+
+pylint:
+	pylint-3 geolite.py
+
+flake8:
+	flake8 geolite.py
+
+pycodestyle:
+	pycodestyle-3 geolite.py
+
+lint: pylint flake8 pycodestyle
+
+include ../aminclude.am

geolite/README.md

@@ -0,0 +1,90 @@
+# Geolite
+
+## Module description
+
+This module outputs flow records with geolocation data using a [geolite database](https://dev.maxmind.com/geoip/geolite2-free-geolocation-data/).
+
+
+## Input data
+
+This module expects flow records in Unirec format. The required fields
+are determined by run time parameters.
+
+
+## Output data
+
+Flows are sent on the output interface, also in Unirec format, they
+contain geolocation data. The fields included in the output interface will vary depending on the selected database type. 
+
+Below are the fields that will be set for each database type:
+* `country` 
+  * ipaddr `ip`
+  * string `name`
+  * string `iso_code`
+  * uint32 `geoname_id`
+  * uint32 `is_in_european_union`
+
+* `city`
+  * ipaddr `ip`
+  * string `country_name`
+  * string `country_iso_code`
+  * uint32 `country_geoname_id`
+  * uint32 `is_in_european_union`
+  * string `city_name` 
+  * float  `latitude`
+  * float  `longitude`
+  * uint32 `accuracy_radius`
+
+* `asn`
+  * ipaddr `ip`
+  * uint32 `asn`
+  * string `string autonomous_system_organization`
+
+
+## Module parameters
+
+In addition to the implicit *libtrap* parameters `-i IFC_SPEC`, `-h`
+and `-v` (see [Execute a
+module](https://github.com/CESNET/Nemea#try-out-nemea-modules)) this
+module takes the following parameters:
+
+* `-d` `--db` path
+  
+  * Specify path to the database file.
+
+* `-f` `--fields` field1,field2,... 
+
+  * Specify the name of field(s) from the input interface, which will be used for geolocation and lookup in the database (case sensitive).
+  If multiple fields are specified, they must be separated by a comma.
+
+* `-t` `--type` {country, city, asn}
+  
+  * Specify the type of GeoLite database. The default value is `country`.
+
+* `-c` `--cache` number
+
+  * Specify the number of lookup calls that will be cached. Set to `0` to disable caching. The default value is `128`.
+
+
+## Example
+The following command :
+
+`./geolite.py -i f:/etc/nemea/data/data.dan.trapcap,f:test.trapcap -d '/usr/share/GeoIP/GeoLite2-Country.mmdb' -t country -f "SRC_IP,DST_IP"`
+
+will be interpreted as follows:
+
+* `-i f:/etc/nemea/data/data.dan.trapcap,f:test.trapcap`
+  sets the input and output interfaces to a file.
+
+* `-d '/usr/share/GeoIP/GeoLite2-Country.mmdb'` sets the path to the database file.
+
+* `-t country` sets the database type to `country` (can be omitted as it is the default).
+
+* `-f "SRC_IP,DST_IP"` specifies the names of the fields containing IP addresses to be used for geolocation.
+
+<!--- Local variables: -->
+<!--- mode: markdown; -->
+<!--- mode: auto-fill; -->
+<!--- mode: flyspell; -->
+<!--- ispell-local-dictionary: "british"; -->
+<!--- End: -->

geolite/geolite.py

@@ -0,0 +1,162 @@
+#!/usr/bin/python3
+#
+# Copyright (C) 2025 CESNET
+#
+# LICENSE TERMS
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in
+#    the documentation and/or other materials provided with the
+#    distribution.
+# 3. Neither the name of the Company nor the names of its contributors
+#    may be used to endorse or promote products derived from this
+#    software without specific prior written permission.
+#
+# ALTERNATIVELY, provided that this notice is retained in full, this
+# product may be distributed under the terms of the GNU General Public
+# License (GPL) version 2 or later, in which case the provisions
+# of the GPL apply INSTEAD OF those given above.
+#
+# This software is provided ``as is'', and any express or implied
+# warranties, including, but not limited to, the implied warranties of
+# merchantability and fitness for a particular purpose are disclaimed.
+# In no event shall the company or contributors be liable for any
+# direct, indirect, incidental, special, exemplary, or consequential
+# damages (including, but not limited to, procurement of substitute
+# goods or services; loss of use, data, or profits; or business
+# interruption) however caused and on any theory of liability, whether
+# in contract, strict liability, or tort (including negligence or
+# otherwise) arising in any way out of the use of this software, even
+# if advised of the possibility of such damage.
+
+
+import argparse
+from functools import lru_cache
+import pytrap
+import geoip2.database
+
+
+CITY_OUTPUTSPEC = "ipaddr ip, string country_name, string country_iso_code, uint32 country_geoname_id, uint32 is_in_european_union, string city_name, float latitude, float longitude, uint32 accuracy_radius"
+COUNTRY_OUTPUTSPEC = "ipaddr ip, string name, string iso_code, uint32 geoname_id, uint32 is_in_european_union"
+ASN_OUTPUTSPEC = "ipaddr ip, uint32 asn, string autonomous_system_organization"
+
+
+parser = argparse.ArgumentParser(description='Module for geolocation using GeoLite2 database')
+parser.add_argument('-i', "--ifcspec",
+                    help="select TRAP IFC specifier")
+parser.add_argument('-d', "--db",
+                    help="path to the GeoLite2 database file",
+                    required=True)
+parser.add_argument('-f', "--fields",
+                    help="input fields to use for geolocation seperated by comma",
+                    default="SRC_IP")
+parser.add_argument('-t', "--type",
+                    help="type of GeoLite database",
+                    choices=['country', 'city', 'asn'],
+                    default="country")
+parser.add_argument('-c', "--cache",
+                    type=int,
+                    help="number of cached lookups. If set to 0, caching is disabled.",
+                    default=128)
+
+# parse command line arguments
+args = parser.parse_args()
+fields = args.fields.split(',')
+
+
+# initialize TRAP context
+trap = pytrap.TrapCtx()
+trap.init(['-i', args.ifcspec], 1, 1)
+
+# output interface
+fmttype = pytrap.FMT_UNIREC
+
+# set the correct output specification based on the type of GeoLite database
+if args.type == 'asn':
+    outputspec = ASN_OUTPUTSPEC
+elif args.type == 'city':
+    outputspec = CITY_OUTPUTSPEC
+else:
+    outputspec = COUNTRY_OUTPUTSPEC
+    
+trap.setDataFmt(0, fmttype, outputspec)
+output = pytrap.UnirecTemplate(outputspec)
+output.createMessage()
+
+# input interface
+fmtspec = ""
+trap.setRequiredFmt(0, fmttype, fmtspec)
+rec = pytrap.UnirecTemplate(fmtspec)
+
+# open GeoLite2 database reader
+with geoip2.database.Reader(args.db) as reader:
+    @lru_cache(maxsize=args.cache)
+    def lookup_in_database(lookup_ip):
+        #Function to look up the IP address in the GeoLite2 database.
+        if args.type == 'city':
+            return reader.city(lookup_ip)
+        elif args.type == 'country':
+            return reader.country(lookup_ip)
+        elif args.type == 'asn':
+            return reader.asn(lookup_ip)
+    
+
+    # main loop
+    while True:
+        try:
+            data = trap.recv()
+        except pytrap.FormatChanged as e:
+            fmttype, fmtspec = trap.getDataFmt(0)
+            rec = pytrap.UnirecTemplate(fmtspec)
+            data = e.data
+        except pytrap.Terminated:
+            print("Terminated trap.")
+            break
+        except pytrap.TrapError:
+            print("Trap error, exiting.")
+            break
+        if len(data) <= 1:
+            break
+
+        else:
+            rec.setData(data)
+            for field in fields:
+                ip = rec.get(data, field)
+                output.ip = ip
+                try:
+                    geolocation = lookup_in_database(str(ip))
+                except:
+                    continue
+                if geolocation is None:
+                    continue
+
+                # fill output fields based on geolocation type
+                if args.type == 'country':
+                    output.name = geolocation.country.name or "unkown"
+                    output.iso_code = geolocation.country.iso_code or "unkown"
+                    output.geoname_id = geolocation.country.geoname_id or 0
+                    output.is_in_european_union = geolocation.country.is_in_european_union or False
+                elif args.type == 'city':
+                    output.country_name = geolocation.country.name or "unkown"
+                    output.country_iso_code = geolocation.country.iso_code or "unkown"
+                    output.country_geoname_id = geolocation.country.geoname_id or 0
+                    output.is_in_european_union = geolocation.country.is_in_european_union or False
+                    output.city_name = geolocation.city.name or "unknown"
+                    output.latitude = geolocation.location.latitude or 0.0
+                    output.longitude = geolocation.location.longitude or 0.0
+                    output.accuracy_radius = geolocation.location.accuracy_radius or 0
+                elif args.type == 'asn':
+                    output.asn = geolocation.autonomous_system_number or 0
+                    output.autonomous_system_organization = geolocation.autonomous_system_organization or "unknown"
+
+                # send output data
+                trap.send(output.getData(), 0)
+
+# send end-of-stream message and exit
+trap.sendFlush(0)
+trap.finalize()